DarkSword iOS Exploit Chain

Byadmblake March 27, 2026

What is the Attack? Researchers from Google Threat Intelligence Group identified DarkSword, a sophisticated full-chain iOS exploit framework actively used by multiple surveillance vendors and suspected state-sponsored actors. Observed since at least November 2025, the exploit has been deployed in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine, enabling silent compromise of iOS devices…

What is the Attack?

Researchers from Google Threat Intelligence Group identified DarkSword, a sophisticated full-chain iOS exploit framework actively used by multiple surveillance vendors and suspected state-sponsored actors. Observed since at least November 2025, the exploit has been deployed in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine, enabling silent compromise of iOS devices and delivery of post-exploitation malware.

DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve:

Remote Code Execution (RCE)

Sandbox Escape

Kernel-Level Privilege Escalation

Campaign-Specific Tradecraft:

Saudi Arabia: Fake Snapchat lookalike used as a social engineering lure

Ukraine: Compromise of at least two local websites, including a government site (watering hole attack)

Post-Exploitation Malware Families:

GHOSTBLADE: Initial-stage implant for device profiling and access validation

GHOSTKNIFE: Intermediate payload enabling data collection and command execution

GHOSTSABER: Advanced implant supporting persistent surveillance and data exfiltration

What is the recommended Mitigation?

Immediate Patching:

Upgrade iOS devices beyond affected versions as security updates become available
Web Filtering & DNS Security:

Block access to suspicious or newly registered domains used in exploit delivery
High-Risk User Protection:

Enforce stricter controls (device hardening, limited browsing exposure) for sensitive roles
Threat Intelligence Integration:

Continuously ingest indicators related to DarkSword infrastructure and malware families

What FortiGuard Coverage is available?

• FortiGuard Incident Response: Organizations that suspect compromise of iOS devices via the DarkSword exploit chain should engage FortiGuard Incident Response for rapid investigation, containment, forensic analysis, and recovery support. Focus areas include identification of exploit-triggering web activity, analysis of post-exploitation malware (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER), validation of device compromise scope, and detection of potential data exfiltration or persistent surveillance mechanisms.

• FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring threat activity associated with DarkSword and related mobile exploitation frameworks identified by Google Threat Intelligence Group.

• FortiGuard Antivirus & Behavior Detection: Protects against post-exploitation malware families associated with DarkSword, including GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

Virus | FortiGuard Labs

• FortiGuard Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known DarkSword-associated indicators, including malicious domains used for exploit delivery, watering hole infrastructure, and command-and-control endpoints

Blog

A Cybersecurity Playbook for AI Adoption

AI adds real value to cybersecurity today, but it cannot yet serve as a single security guardian. Here’s how organizations can safely combine AI-driven analysis with deterministic rules and proven security practices.

Read More A Cybersecurity Playbook for AI Adoption
Blog

Patch Now: CISA Warns of Palo Alto Flaw Exploited in the Wild

The authentication bypass vulnerability in the OS for the company’s firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.

Read More Patch Now: CISA Warns of Palo Alto Flaw Exploited in the Wild
Blog

Microsoft Legal Action Disrupts RedVDS Cybercrime Infrastructure Used for Online Fraud

Microsoft on Wednesday announced that it has taken a “coordinated legal action” in the U.S. and the U.K. to disrupt a cybercrime subscription service called RedVDS that has allegedly fueled millions in fraud losses. The effort, per the tech giant, is part of a broader law enforcement effort in collaboration with law enforcement authorities that…

Read More Microsoft Legal Action Disrupts RedVDS Cybercrime Infrastructure Used for Online Fraud
Blog

Cyberattackers Exploit Zimbra Zero-Day Via ICS

A threat actor purporting to be from the Libyan Navy’s Office of Protocol targeted Brazil’s military earlier this year using the rare tactic.

Read More Cyberattackers Exploit Zimbra Zero-Day Via ICS
Blog

UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware

A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actor’s targeting beyond Ukraine and into entities supporting the war-torn nation. The activity, which targeted an unnamed entity involved in regional

Read More UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
Blog

US Nuclear Agency Hacked in Microsoft SharePoint Frenzy

Threat actors are piling on the zero-day vulnerabilities in SharePoint, including at least three Chinese nation-state cyberespionage groups.

Read More US Nuclear Agency Hacked in Microsoft SharePoint Frenzy

Related